In this episode, Jay Rosen returns from a week’s trip to Walt Disney World. Jay and I have a wide-ranging discussion on some of the week’s top compliance related stories. We discuss:

  1. DOJ Criminal Division’s Acting Principal Deputy Assistant Attorney General remarks on the FCPA and its enforcement. – See text of speech by clicking here. See Matt Kelly’s blog post by clicking here.
  2. Whistleblowers in the news. See Tom’s article on the Barclay’s CEO and Amtrust in FCPA Blog and on KPMG in Compliance Week. Mike Volkov weighs on whistleblowing as indicia of corporate culture here.
  3. One year reports note that declinations are on the rise under the on the now one-year old FCPA Pilot Program. For Miller & Chevalier report click here (sub. req’d). For the Stanford University FCPA Clearinghouse Report in the Wall Street Journal, click here.
  4. Tribute to Kara Brockmeyer, retiring as head of the SEC’s FCPA Unit. See Tom’s article in Compliance Week.
  5. Jay details his upcoming conference schedule and weekend report on ethics and compliance observations from the Florida version of the Magic Kingdom.
  6. Listeners to this podcast can received a discount to Compliance Week 2017. Go to registration and enter discount code CW17TOMFOX.

One area that has bedeviled Chief Compliance Officers (CCOs) and compliance practitioners is how to determine the return on investment (ROI) for your compliance program regarding third parties. While it is still clear that third parties are the greatest risk in Foreign Corrupt Practices Act (FCPA) enforcement actions, senior management often wants to know what is the monetary benefit to the company for this type of risk management.

When you couple the request for ROI with the recent Department of Justice (DOJ) mandate for the operationalization of your compliance program, as articulated in the Evaluation of Corporate Compliance Programs, it may seem like a doubly daunting task. However the requirement for operationalization of your compliance program actually lends itself to formulating ROI around the risk management of third parties. This is because if you move the third-party compliance into the organization as a business process, with a technological solution, the ROI becomes not only clearer but easier to calculate going forward.

I recently read a study by Forrester Research Inc., suggested an approach for the anti-corruption compliance practitioner. In this study, Forrester compared the user experience, leading to a finding of a positive ROI for the technology user around third-party risk management. I found the approach and methodology used persuasive and valuable for the compliance professional to consider in evaluating such a process in your organization.

Some of the key findings readily translate across for the anti-corruption compliance practitioner. The first area was in risk assessments of third parties. If you are able to provide a technological platform, you can enhance both the speed and efficiency of your risk assessments on an ongoing basis. The decrease in time it would take for each risk assessment, both in terms of length and compliance department man-hours will yield an immediate cost saving for your compliance function.

Consider just two of the steps required in the lifecycle management of third parties, the questionnaire and due diligence. Both steps can be not only labor intensive to complete and analyze but the cycles of time spend sending out a questionnaire, receiving a completed form and then inputting the information into a spreadsheet for manual analysis can be quite time consuming. It usually involves the basic tools of spreadsheets, interviews, Internet searches and additional questionnaires. By tailoring your questionnaire to the specific risk areas and using logical question design you can reduce confusion and therefore decrease the cycle of response time. Additionally, in the final step of managing the relationship there is often not only a dearth of data but usually the data is in such a siloed format that (1) it cannot be utilized between corporate functions and (2) there can be no meaningful comparison across the third parties. Through standardized questions and responses, this data can be compared across the spectrum of third parties.

In addition to the increased efficiency in the compliance portion of this analysis, by operationalizing your third-party risk management in this manner, you increase business efficiency by bringing in more dollars more quickly for third parties on the sales side. For third parties on the Supply Chain side, the efficiencies turn on your use of their products or services more quickly in business critical elements of your company. Simply put, approving third parties and incorporating them into your business cycle will not only save your money more quickly and efficiently but also make you money more quickly and efficiently.

Using a tool that incorporates Software-as-a-Service (SaaS) platform would also allow a more comprehensive review of data and information for several reasons. Firstly the various types of data is not siloed but stored in a centralized platform. Second, having this type of data allows for not only an ongoing review of each third-party but also allows you to review historical trends. This enables you to move from detection to prevention and possibly even delivery of a prescriptive solution before an issue arises to a full-blown FCPA violation. You would also be able to garner a better understanding of relationships across industry sectors and countries with a bigger picture look.

Obviously you will need to set the parameters for the risks to be assessed but more clearly in the FCPA they deal with third parties who are or who have, as owners, Politically Exposed Persons (PEPs), the inability to account for discretionary funds such as marketing or other expenses was seen in a recent FCPA enforcement action, payments to offshore locations or unusual commission or other payments tied 100% to sales. Not only would your company have more and greater visibility into such issues but the range of third parties you could monitor would increase, perhaps at an exponential rate. As with the cost savings of the initial risk assessment, there would be similar savings for ongoing monitoring in the area of greater efficiency and need for smaller headcount from the compliance function to perform such ongoing monitoring.

The speed and robustness of this database is a key element in operationalizing your compliance program in the area of third parties. The prevent component of any compliance regime is improved as you would have better visibility into potential non-compliant third parties which you may have to discharge. You would also have the ability to work with non-compliant third parties to remedy any issues before they become legal violations and then recommend extra monitoring as appropriate.

Using the above as a guide the ROI calculation would be something along the lines of the number total number of hours spent on each risk assessment x the total risk assessments performed x the hourly rate of the compliance professional performing the services. So if you spend 20 hours on 50 risk assessments and the hourly rate for your in-house compliance professional is $100, the ROI is $100,000. Now just think of what that number would be around third parties if the SC third parties runs into the thousands. Even with a round number of 1,000 for such third parties, your ROI increases to $2MM. Of course you have to subtract out the cost for any technological solution but with these types of efficiencies, your ROI will still be quite impressive.

There are a wide variety of other factors that could increase your ROI, as detailed in the Forrester report, which include renewal assessments, ongoing monitoring, increase in business efficiencies for both your organization and the third parties, which would all work to uplift your ROI. Most critically you would demonstrate the operationalization of your compliance program into the very fabric of your organization.

Three Key Takeaways

  1. Why is it important to demonstrate ROI on your third party risk management program?
  2. Determining your ROI helps to demonstrate operationalizing your compliance program.
  3. Determining third party management program ROI can help to tear down compliance silos. 

 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.

 

 

 

 

When was the last time you considered the health of your company’s third party management program? A good way to test that well-being is to perform a check-up on your third party program. An article entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, provided a manner for the compliance practitioner to test an “organizations health status concerning your relationship to your third parties.” The article provided seven points that you can consider in a self-assessment:

  1. Do you have a list or database of all your third parties and their information? Does your company have a full list of all third parties including such basic information as name, location, type of services provided, contract files and dates, principals of the third party and primary contact, due diligence files and any other information you might need to manage the third party relationship going forward? When was the last time this list was checked or updated?
  2. Have you done a risk assessment of your third parties and prioritized them by level of risk? You need to check and double-check which third party services present the greatest risk to your company by asking some of the following questions: (a) Is the third party’s service critical to your business?; (b) Is the third party’s service performed with little company supervision or oversight?; (c) Does the third party have access to any company funds, resources or assets?; (d) Can the third party fund the company contractually?; and (e) Does the third party obtain any foreign governmental licenses, certifications or other approvals for your company? When was the last time you asked these questions of the Business Sponsor or Relationship Manager.
  3. Do you have a due diligence process for the selection of third parties, based on the risk assessment? You should use the information determined through the risk assessment to “tailor the level of diligence to the level of risk.” Assign a risk profile to categories, such as high, medium and low. The higher the risk, the more due diligence will be required to vet the third party. Do you receive updated due diligence reports on a quarterly, semi-annual or annual basis?
  4. Once the risk categories have been determined, create a written due diligence process. Obviously you need to have a written policy and defined procedures to implement your due diligence policy. However, when was the last time it was reviewed or updated? What happens if you the compliance professional is hit by a bus coming to work? Would a substitute know what to do or would there be a written reference for your replacement? You should consider the following: (a) who is responsible for implementation; (b) list of red flags and how such red flags are to be dealt with and cleared; (c) a procedure to pay for any due diligence performed; (d) reference checks on third parties; (e) procedures for in-person interviews for third parties in a high risk category; (f) conflicts of interest checks, and (g) process for documentation and storage of all of the above information.
  5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations? When was the last time you considered your compliance terms and conditions or reviewed all of your third party contracts to ascertain if they include compliance terms and conditions: (a) anti-corruption and anti-bribery certification; (b)requirement that the third party maintain accurate books and records and that your company has audit rights; (c) indemnity rights; (d) anti-corruption and anti-bribery training for the third party’s employees; (e) an anonymous reporting mechanism for ethics complaints; (f) require the third party to obtain pre-approval to subcontract out any of its work for your company; (g) require the third party to report any ownership change back to your company, and lastly (h) clear termination rights.
  6. Relationship Managers. Just as your company would never have an employee who is not supervised, your company should not have a third party which does not have company oversight. Do you rotate Relationship Managers? What training has the compliance function provided to them as the company’s point of contact for third parties?
  7. Red flags review. When was the last time you checked on your third parties for any new red flags which may have arisen after the initial due diligence was performed or completed? At what interval do you update or renew your due diligence? How about a change from the company side regarding sales, sales practices, products or services which might become high-risk?

Many companies understand the maxim “Know Your Customer (KYC)”, nevertheless, in today’s global economy this maxim may well need to be expanded to “Know Your Third Party”. The bottom is that that there is no out, no; when it comes to third party risk management and third party compliance efforts. A good place to start is with a third program party checkup.

Three Key Takeaways

  1. What is the health of your third party risk management program?
  2. When was the last time you reviewed and updated your third party database list?
  3. Expand your KYC thinking to Know Your Third Party.

 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.

 

 

 

Internal controls are a key tool to operationalize your third party risk management program. Initially, a compliance practitioner should perform an analysis of any third party representative to provide insight into the pattern of dealings with such third parties and, therefore, the areas where additional controls should be considered. The basic internal controls, that should be a part of any financial controls system, include some or all of the following:

  • A control to correlate the approval of payments made to contracts with third party representatives and your company’s internal system for processing invoices.
  • A control to monitor all situations in which funds can be sent outside the US, in whatever form your company might use, which could include accounts payable computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances or other forms.
  • A control for the approval of sales discounts to distributors.
  • A control for the approval of accounts receivable write-offs.
  • A control for the granting of credit terms to third parties or customers outside the US.
  • A control for agreements for re-purchase of inventory sold to third parties or customers.
  • A control for opening of bank accounts specifically including accounts opened at request of an agent or a customer.
  • A control for the movement / disposal of inventory.
  • A control for the movement / disposal of movable fixed assets.
  • A control for execution and modification of contracts and agreements outside the US.

There should also be internal control needs based on activities with third party representatives. These could include some or all of the following internal controls:

  • A control for the structure and enforcement of the Delegation of Authority.
  • A control for the maintenance of the vendor master file.
  • A control around expense reports received from third parties.
  • A control for gifts, entertainment and business courtesy expenditures by third party representatives.
  • A control for charitable donations.
  • A control for all cash / currency, inventory, fixed asset transactions, and contract execution in countries outside the US where the country manager has final authority.
  • A control for any other activity for which there is a defined corporate policy relating to FCPA.

While that may appear to be an overly exhaustive list, there were four significant controls the compliance practitioner implement initially. They include: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency.

A DOA should reflect the impact of corruption risk including both transactions and geographic location so that a higher level of approval for matters involving third parties and for fund transfers and invoice payments to countries outside the US would be required inside an organization. Often, a DOA is prepared without much thought given to FCPA risks. Unfortunately once a DOA is prepared it is not used again until it is time to update for personnel changes. Moreover, it is often not available, not kept current, and/or did not define authority in a way even the approvers could understand it. Therefore it is incumbent that the DOA be integrated into a company’s accounts payable (AP) processing system in a manner that ensures all high-risk vendor invoices receive the proper visibility. To achieve this you should identify the vendors within the vendor master file so payments are flagged for the appropriate approval BEFORE they are paid.

Furthermore if a DOA is properly prepared and enforced, it can be a powerful preventive tool for FCPA compliance. For example, consider a wire transfer of $X between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer. However, a wire transfer of $X to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the Compliance function, and one officer. In this situation, the DOA should specify who must give the final approval for engaging third parties. Moreover, the DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US (including those who travel from the US to work outside the US).

Some believe the vendor master file, can be one of the most powerful PREVENTIVE control tools largely because payments to fictitious vendors are one of the most common occupational frauds. The vendor master file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. There should be electronic controls in place to block payments to any vendor for which vetting has not been approved. Next manual controls are needed over the submission, approval, and input of changes to the vendor master file. These controls include verification that all vendors have been approved before their information (and the vendor approval date) is input into the vendor master. Finally, manual controls are also needed when “one time” vendors are requested, when a vendor name and/or vendor payment information changes are submitted.

Near and dear to my heart as a lawyer, contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control. I would caution that for contracts to provide effective internal controls, relevant terms of those contracts (commission rate, whether business expenses can be reimbursed, use of subagents, etc.,) should be extracted and available to those who process and approve vendor invoices. If there are nonconforming service descriptions, commission rates, etc., present in a contract such terms must be approved not only by the original approver but also by the person so delegated in the DOA Unfortunately contracts are not typically integrated into the internal control system. They are left off to the side on their own, usually gathering dust in the legal department file room.

One FCPA enforcement action was an excellent example of the lack of internal control over the disbursements of funds and movement of currency because you had the country manager delivering bags of cash to a government official to obtain or retain business. All situations where funds can be sent outside the US (AP computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances, etc.,) should be reviewed from a compliance risk standpoint. Further, within a company structure you need to identify the ways in which a country manager (or a sales manager, etc.,) could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system.

All wire transfers outside the US should have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA and wire transfer requests going out of the US should always require dual approvals. Lastly, wire transfer requests going outside the US should be required to include a description of proper business purpose.

Never forget that internal controls are in reality, simply good financial controls. The internal controls that he detailed for third party representatives in the compliance context will help to detect fraud, which could well lead to the prevention of bribery and corruption.

Three Key Takeaways

  1. Internal controls are a key component of any operationalized compliance program.
  2. Internal controls are good financial controls.
  3. The top four internal controls for compliance are: (a) Delegation of Authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash / currency.

 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.

 

 

 

Next I consider at how data analytics can be used to help detect or prevent bribery and corruption where the primary sales force used by a company is third parties. A clear majority of Foreign Corrupt Practices Act (FCPA) violations and related enforcement actions have come from the use of third parties. While sham contracting (i.e. using a third party to conduit the payment of a bribe) has lessened in recent years, there are related data analysis that can be performed to ascertain whether a third party is likely performing legitimate services for your company and is not a sham.  There are several more complex analytics that can be run in combination to identify suspicious third parties, and some of the simplest can be to look for duplicate or erroneous payments.

A key to moving from detection to prevention is the frequency of review. It is common for organizations to periodically review a year or more of accounts payable invoices at one time for errors or overpayment. Changing this from a one-time annual or biannual event to something that is done daily or weekly dramatically improves the value of such internal controls. This more frequent, preventative analysis is integral to a foundation of third party audits. While many company perform periodic look-back audits, ongoing monitoring also works to accomplish the same queries on a daily or weekly basis. This allows organizations to find duplicate payments or overpayments after the invoice has been approved but prior to its disbursement. So instead of detecting a payment error three or six months after it is made, you prevent the money from leaving the company altogether.

Duplicate invoices are a favorite mechanism of fraudsters. Consider the following scenario, Invoice No. 955-TX, was paid for $10,597.95. Thirty days later the same vendor re-submitted the same invoice due to non-payment, but it was recorded by the payor organization without the hyphen between 955 and TX, consequently it was not detected by the system of payable controls. The problem is the second invoice had slightly different writing on the face of it, but it was for the same services and hence was a duplicate invoice. On the company side, both invoices were scanned into the company’s imaging system and queued for payment. Data analysis can locate such overpayments and identify a second payment should not be made because it is a match of one that had been previously approved.

Another analysis, which a compliance practitioner could compare using vendor name and other identifying information, for example address, country, data from a watch list such as Politically Exposed Persons (PEP) or Specially Designated National (SDN), to names and other identifying information on your vendor file. An inquiry could also be used to test in other ways such as if a vendor has the same surname as a vendor on the specially designated national terrorist list, or a politically exposed person.

Now suppose they share the same name as an elected official down in Brazil. How do we make sure that our vendor or broker is a different John Doe than the John Doe that is a politically exposed person in that country? It is only upon closer inspection where you can determine that the middle names are different and the ages are different, one of has an address is Brasilia and the other is in Sao Paulo. Without further inspection including other demographic information about your vendors, consultants or third parties and the comparing them to watch list individuals, such red flags are present but not cleared. That is what data analytics is designed to do, is to help you go from tens of thousands of “maybes” to a very small number of potential issues which need to be researched individually.

One of the important functions of any best practices compliance program is to not only follow the money but try to spot where pots of money could be created to pay bribes. Through comparison of invoices for similar items among similar vendors, data analytics uncover overcharges and fraudulent billings. Continual transaction monitoring and data analysis can prove its value through more frequent review, as individuals tend to perform better when they know they are being monitored.

The techniques used in transaction monitoring for suspicious invoices can be easily translated into data analysis for anti-corruption. Software allows a very large aggregation of suspicious payments not only by day or by month, but also by vendor or even by employee who may have keyed the invoices into your system. As these suspicious invoices begin to cluster by market, business unit or person a pattern forms which can be the basis of additional inquiry. That is the value of analytics. Analytics allows a compliance practitioner to sort and resort, combine and aggregate, so that patterns can be investigated more fully.

This final concept, of finding patterns that can be discerned through the aggregation of huge amounts of transactions, is the next step for compliance functions. Yet data analysis does far more than simply allow you to follow the money. It can be a part of your third party ongoing monitoring as well by allowing you to partner the information on third parties who might come into your company where there was no proper compliance vetting. Such capabilities are clearly where you need to be heading.

Three Key Takeaways

  1. Always remember to follow the money to see where a pot of money could be created to fund a bribe.
  2. Transaction monitoring techniques around fraud monitoring translate to data analysis for compliance.
  3. Do not forget to check names against known PEP and SDN lists.

 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.